Ludovic Poitou blog about Identity, Directory and others…

Directory Server 6.0 introduced many changes in its administration tools: a new GUI, new CLIs such as dsconf and dsadm.

dsadm has a set of commands to do certificate management for directory server instances, such as requesting new certificates, listing certificates, adding certificates. This feature has been added in Directory Server 6, because certutil, the utility available with the NSS library is not officially supported.

The dsadm utility does the work in most of the cases but there are some known limitations such as no support for the subjectAltName extension. For those advance use cases, the workaround is to use certutil (at your own risks).

One big difference between dsadm and certutil is the certificate store password. By default, the password is unknown to the administrators, and managed through a file. Certutil does require the password to be known.

To change the default password and be able to use certutil, you need to launch the following command as root or the owner of the directory server instance: